Introduction to IP risk management:
Risk is the chance of something going wrong, and the danger that damage or loss will occur. By its very nature, there are both rewards and risks associated with IP. For anyone involved in IP, then IP related risks are part of working life.
Any business professor will tell you that the value of companies has been shifting markedly from tangible assets, "bricks and mortar", to intangible assets like intellectual property in recent years. Research has indicated that intangibles now account for about 80% of the total value of many companies. There is no data available on the scale or size of the risks associated with IP facing companies, but one can assume that it is significant, and probably around this 80% mark.
Not all IP risks are the same and they may be broken down into a variety of different categories, such as the form of IP involved (e.g. patents, trademarks, copyright, trade secrets, etc.), the source or origin of the IP related risk, the impact and probability of the IP risk, the date when the risk is likely to materialize, the geographical nature of the IP risk, whether they are generic or specific in nature, the group or sub-group within the organization most impacted by this risk, etc.
I would argue that every organization faces IP related risks.
When to take it really seriously:
Companies should ideally take IP risk management seriously at all times. However there are a number of events, situations or triggers which should prompt them to really pay attention to this IP process. IP risk management should be of particular interest to anyone …
Operating in an IP litigious environment
Coming up for exit or listing
Anxious to get IP risk management under control
Whose executive management team are demanding visibility
Experiencing major business changes
Facing a major IP risk and realising that they are unprepared
Interested in proper governance of IP
Operating in an IP litigious environment:
Some companies simply operate in very IP litigious environments. This may be due to where the economic cycle is where it is, with a lot of different parties up and down the value chain finding it tough and trying to protect margins and cash flows.
It may be due to the activities of Non Practicing Entities.
It may even be due to the role that Inter-Operability Standards Bodies play in certain industry sectors and the impact of their light touch IP policies.
Coming up for exit or listing:
Regardless of whether the company is heading towards a merger & acquisition ( merging with a similar company, or being bought by a larger company); planning an initial public offering; or seeking major investment, then is a critical moment from an IP risk management perspective.
Almost certainly, an IP due diligence exercise will be conducted. This is essentially an audit to assess the quantity and the quality of IP assets owned by, or licensed to, a company. It should also include an assessment of the IP related risks facing that target company plus details of if and how these IP related risks are being mitigated.
Coming up for exit or listing also increases the chances of your company being attacked from an IP perspective. From the perspective of an NPE, the company resembles a deer or rabbit caught in the headlights.
Anxious to get IP risk management under control:
In reactive mode, the behavior of the organization is not internally motivated but manifests in response to a situation or the actions of others. When an IP related risk materializes, then and only then does the organization react. Reactive change occurs when an organization makes changes in its IP practices after some threat has already occurred. Reactive aims to deal with the consequences of an IP risk.
However, operating in reactive mode has some major drawbacks, in that many solutions to help mitigate IP related risks are ‘off the table’ once the IP related risk has materialized. It is very difficult to take out house insurance if your house is already up in flames.
Reactive mode is sometimes referred to as firefighting, the emergency allocation of IP resources, required to deal with an unforeseen IP problem. Just as in the real world, there is an assumption that "fires" are unpredictable and that they must be dealt with immediately. However, a too-frequent need for emergency IP action may reflect poor planning, or a lack of organization, and is likely to tie up valuable IP resources that are needed elsewhere.
When IP related risk work consists almost entirely of fighting fires, rather than dealing with things in a rational, prioritized manner, and devoting some time to medium-term and long-term issues, then a serious problem can arise. The problem is, that once you are in firefighting mode, the lack of medium and long-term focus just causes more IP fires to pop up down the road. Hence, it is a vicious cycle, and it can eventually wreak havoc on the morale of the overworked IP resources. Also, stress related to continuous firefighting becomes an issue of concern.
Whose executive management team are demanding visibility:
Most large enterprises have a procedure for managing corporate risks. The procedure is intended to identify, record, and communicate risks in terms of their comparative importance to the company. The corporate risk register also forms the basis for reporting risk issues in the annual report. The information is usually stored in a central register, catalog, or inventory of risks. This should contain information suitably sorted, standardized, and merged for relevance to the appropriate level of management. Its key function is to provide management, the board, and key stakeholders with significant information on the main risks faced by the business.
Simply put, IP related risks cannot be excluded from this process.
Experiencing major business changes:
Many companies live in rapidly changing times. Consider that, in a single generation, many businesses have had to adapt to entirely new marketing channels such as the internet and social media, decide how to invest in and utilize many brand new technologies, embrace big data, and compete on a global stage.
Interestingly, many industry sectors have also been disrupted by the arrival of pure or almost pure IP companies into the mix - the world’s largest taxi company owns no vehicles; the world’s most popular media owner creates no content; the most valuable retailer has no inventory; and the world’s largest accommodation provides owns no real estate.
Facing a major IP risk and realising that they are unprepared:
Regardless of why one is interested in IP risk management, it is best to master IP risk management when things are calm rather than when one is tackling a major IP risk, when pressure is intense and everything seems chaotic and dis-organized.
This is not the right time for a GC, CIPO or IP Manager to have to go to the Board and explain that the IP risk management process is to ‘panic widely and run away’.
Interested in proper governance of IP:
In the case of a business, governance relates to consistent management, cohesive policies, proper guidance, well defined processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might involve evolving policies on privacy, on internal investment, and on the use of data.
Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the way people direct, administer or control a company. Corporate governance also includes the relationships among the many players involved (the stakeholders) and the corporate goals.
IP Governance is simply about defining the rules for this particular Corporate function. It is the process of decision-making and the process by which decisions are implemented (or not implemented) within the Corporate IP Department. Ideally the process should distinguish between strategic and tactical decisions.
IP Governance may not be a hot issue, but if the value (and risks) of intangible assets is now equalling or surpassing the value (and risks) of tangible assets within a company, then that function with responsibility for managing those intangible assets needs to behave well and adopt good governance practices.
Taking it seriously?
IP risk management is a practice that deals with processes, methods, and tools for managing IP risks in a project, business unit or organization. It is initially about the identification, assessment, and prioritization of IP related risks followed by the coordinated and cost-effective application of resources to reduce or eliminate the probability and/or the impact of these IP related risks to the organization.
IP risk management involves understanding, analysing and addressing IP related risks to make sure organizations achieve their objectives. So it must be proportionate to the complexity and type of organization involved. Proper IP risk management is an integrated and joined up approach to managing IP related risks across an organization and its extended networks.
IP risk management is about ensuring that the business really understands its IP related risks, and then mitigates pro-actively. The rationale for this may be driven by the need for freedom to use technologies already in use or being considered for use in the company’s products, but there are many other reasons why businesses need to take IP risk mitigation seriously.
The focus should be on risk mitigation and not just of risk evaluation. Risk mitigation covers efforts taken to reduce either the probability or consequences of a threat. Risk mitigation efforts may range from physical measures to financial measures.
IP risk management is not easy and a number of components need to be in place for a company to truly master this aspect of IP. I strongly suggest that the following components are needed …
Good IP and IP related Risk awareness and education
A robust fit for purpose IP Risk Management process
IP Risk Management system / tool
Data (IP related risks, actions, documents, reports)
A variety of IP Risk Mitigation solutions
IP Risk Management resourcing (people, budget)
Proper IP Risk Management governance
Companies should ideally take IP risk management seriously at all times. However there are a number of events, situations or triggers which should prompt them to really pay attention to this IP process.
IP risk management is about operating in proactive mode, taking preventative measures, ideally aiming to stop the IP risk before it happens. It is about prioritizing risks, prioritization being a combination of the possibility of the risk occurring and estimating the impact. It is however not just about analysing the possibility that some risk will actually occur, but also making sure they have a recovery plan in place, and that the recovery plan has been stress tested.
Companies need to carve out time in their schedule for IP risk management, and taking responsibility to ensure that they have a good fit for purpose IP risk management process in place.